CVE-2026-34591: Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

April 1, 2026 (updated April 15, 2026)

A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process.

References

github.com/advisories/GHSA-2599-h6xx-hpxp
github.com/python-poetry/poetry
github.com/python-poetry/poetry/pull/10792
github.com/python-poetry/poetry/releases/tag/2.3.3
github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp
nvd.nist.gov/vuln/detail/CVE-2026-34591

Code Behaviors & Features

Detect and mitigate CVE-2026-34591 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →